I am taking my exam next week in my security class. We have to make a configuartion at home and then insert this config into the ASA5510 in class. I just need someone who has more experience than me to verify that my config is correct, any help or suggestions would be helpful. The config is kind of long, but I broke it up into pices for easy troubleshooting. If you see "(ipremoved)" I did that because we have public IP address assigned to the ASA outside interface. Thank you
What the ASA needs to do:
- Dynamic NAT hosts can browse the Internet, and the server has static NAT
- DHCP
- The instructor workstation ONLY can (www, ftp, ssh, rdp, ping) into an inside static nat server
- VPN into the network using the Cisco VPN client software
- Use SSH to authenticate through an AAA (Radius)
Config:
*****initial:
interface Ethernet0/1
nameif outside
security-level 0
no shut
ip address dhcp setroute
interface Ethernet0/0
nameif inside
security-level 100
no shut
ip address 192.168.30.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 (ipremoved) 1
http server enable
http 192.168.30.10 255.255.255.255 inside
username cisco password cisco
hostname CSSFINAL
enable password cisco
domain-name css210.edu
*****DHCP:
dhcpd address 192.168.30.200-192.168.30.250 inside
dhcpd lease 86400 interface inside
dhcpd domain css210.edu interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
*****NAT (static, PAT):
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) (OUTSIDE ADDRESS) 192.168.30.N netmask 255.255.255.255
global (outside) 1 interface
*****ACL:
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp host (IP of INST) host (ipremoved) eq 3389
access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq www
access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq ftp
access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq ftp-data
access-list outside_access_in extended permit icmp host (IP OF INST) host (ipremoved) echo
access-list outside_access_in extended permit tcp host (IP OF INSTRUCTOR) any eq 22
access-group outside_access_in in interface outside
*****SSH:
key generate rsa modulus 1024
ssh 192.168.30.0 255.255.255.0 inside
ssh (ipremoved) 255.255.255.0 outside
ssh version 2
*****AAA:
aaa-server MSNPS protocol radius
aaa-server MSNPS (INSIDE) host 192.168.30.N key cisco
aaa authentication telnet console MSNPS LOCAL
aaa authentication ssh console MSNPS LOCAL
*****Logging:
logging host inside 192.168.30.10
*****IPsec VPN:
ip local pool MYVPNPOOL 192.168.30.100-192.168.30.150
nat (inside) 0 access-list VPN-NAT0
access-list VPN-NAT0 extended permit ip 192.168.30.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.30.0 255.255.255.0
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map MYDYNMAP 1 set transform-set MYSET
crypto dynamic-map MYDYNMAP 1 set security-association lifetime seconds 28800
crypto dynamic-map MYDYNMAP 1 set security-association lifetime kilobytes 4608000
crypto map MYMAP 1 ipsec-isakmp dynamic MYDYNMAP
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 84600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy MYPOLICY internal
group-policy MYPOLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
tunnel-group MYTGROUP type remote-access
tunnel-group MYTGROUP general-attributes
address-pool MYVPNPOOL
default-group-policy MYPOLICY
tunnel-group MYTGROUP ipsec-attributes
pre-shared-key cisco
